- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Sending to different index based on host from sysl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sending to different index based on host from syslog stream
Ok, so I'm not sure what I'm doing wrong here. I need to send data coming in on the standard syslog UDP 514 stream based on hostname (Most of it going to main, the rest going to a custom index).
i created a new props.conf in etc/system/local with just:
[host::10.10.10.*]
TRANSFORM-test = route_to_test
And a new transforms.conf with just:
[route_to_test]
REGEX = .*
DEST_KEY = _MetaData:Index
FORMAT = test
My intention was to route anything coming in from 10.10.10.* to an index named test, however everything is still going to main.
What am I missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Guys,
I have same question I have 4 hosts 2 development and 2 production. I have created two index dev & prod.
I am using syslog TCP 514 port so how should i transfer production logs on prod and dev logs on dev index ?
I tried every combination but no luck... please help to find solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Really though, it seems to me his original solution should work as long as the incoming host name is in fact 10.10.10.*. I guess I would set the sourcetype to something not syslog (something that doesn't set the host) so you can see what's in the incoming data to be sure.
Oh, wait. Can you try:
TRANSFORMS-test = route_to_test
instead of:
TRANSFORM-test = route_to_test
And also as southeringtonp suggests, do not use the regex .*, use just .? or (?=) instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is how you need to configure the transform:
[route_to_test]
SOURCE_KEY=MetaData:Host
DEST_KEY=_MetaData:Index
REGEX=^host::(10\.10\.10\.\d+)$
FORMAT=test
WRITE_META=true
and you could use the sourcetype or source in the props:
[syslog]
TRANSFORMS-test = route_to_test
or
[source::udp:514]
TRANSFORMS-test = route_to_test
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure? I experienced it in the past that it did not work without the WRITE_META...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, you don't need WRITE_META = true if writing to the _MetaData:Index DEST_KEY.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could probably use your approach with the WRITE_META=true stuff as well. Didn't try that one exactly myself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this: REGEX=^host::(10.10.10.\d+|192.168.0.\d+)$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So how would you do multiple subnets (or hosts) to multiple indexes then coming in on a syslog stream?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the REGEX statement require a capture group here? I can't remember...
What happens if you change it to:
REGEX = (.)
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
